Suspicious ArcSOC.exe Child Process
Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding service endpoint and remotely execute code from the ArcSOC.exe process.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection:
ParentImage|endswith: '\ArcSOC.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wmic.exe'
- '\wscript.exe'
filter_main_cmd:
Image|endswith: '\cmd.exe'
CommandLine: 'cmd.exe /c "ver"'
condition: selection and not 1 of filter_main_*False positive likelihood has not been assessed. Additional context may be needed during triage.